Proofpoint Acquires CMU spinoff Wombat Security for $225 Million

Strip District firm is industry leader in training employees to prevent cyber attacks

Proofpoint Inc., a leading cybersecurity company, has completed its acquisition of a Carnegie Mellon University spinoff, Wombat Security Technologies Inc., for $225 million. The deal was announced by Proofpoint last month.

"Because threat actors target employees as the weakest link, companies need to continuously train employees and arm them with real-time threat data," said Gary Steele, CEO of Proofpoint in Sunnyvale, Calif. "The acquisition of Wombat gives us greater ability to help protect our customers from today's people-centric cyberattacks, as cybercriminals look for new ways to exploit the human factor."

Wombat, founded 10 years ago by three CMU computer science professors to leverage innovative university research on preventing cyber attacks, is widely recognized as a leader in cybersecurity awareness training.

"Carnegie Mellon consistently produces world leaders in cyber security, whose work protects all of us from cyber threats. Their mastery of both the technology and the human elements of computing make us all safer, as individuals, as organizations, and as a nation," said Farnam Jahanian, interim president of CMU. "This sale is a tribute to the faculty who created Wombat, as well as to the alumni who are key leaders at Proofpoint, and to all those who are helping to ensure CMU expertise benefits society more broadly."

"You always have high expectations when you start a company, but there's nothing more rewarding than to see results of your research having an impact on this scale. Our research at CMU has effectively created an entirely new segment in the cybersecurity industry, one that focuses on the human element," said Norman Sadeh, professor of computer science and chairman and chief scientist of Wombat.

Sadeh co-founded the company with Lorrie Faith Cranor, FORE Systems Professor of computer science and engineering and public policy, and Jason Hong, associate professor of computer science. Sadeh and Cranor teach in the Institute for Software Research and Hong is a faculty member of the Human-Computer Interaction Institute. All three are members of CMU's CyLab Security and Privacy Institute.

Phishing attacks trick people into divulging sensitive information, such as usernames and passwords, or into installing malware by sending them emails that appear to come from legitimate, trusted sources. It is estimated that over 90 percent of cyber attacks today involve phishing emails.

"Wombat is a good example of why we at Carnegie Mellon talk about computer science primarily as problem solving, not programming," said Andrew Moore, dean of the School of Computer Science. "Phishing and cybersecurity in general are more than technical problems; they are people problems. In typical CMU fashion, Norman, Lorrie and Jason were able to solve the problem because they understood that people and technology are inextricably linked."

The founders' approach — sending simulated phishing emails to employee inboxes — was a major departure from traditional training methods, but has since become the de facto industry standard. They showed this approach was significantly more likely to get an employee's attention and, with follow-up training, could drastically reduce susceptibility to these attacks.

"It became obvious that cybersecurity threats weren't limited to phishing," Sadeh said, and Wombat expanded its training modules to address issues related to a wide range of practices, including use of smartphones, USB drives, social networks and more. Other key products include machine learning technology to prioritize the processing of phishing emails reported by employees.

All of Wombat's training modules focus on practical, concise advice and information that employees need to know, rather than lectures about practices and policies they don't care about, Sadeh said. The modules are interactive in nature and include quick quizzes centered around practical, everyday situations that help reinforce practical learning.

Wombat has long benefited from recruiting CMU alumni, Sadeh said — so much so that some investors worried in the early years about an overabundance of CMU-related employees. But as the company expanded — including offices in Denver and London — and after Joe Ferrara, a veteran tech executive, succeeded Sadeh as CEO in 2011, both the number and diversity of employees has grown.

Several key leaders of Wombat continue to boast CMU connections. These include Wombat chief architect Kurt Wescoe, an alumnus and former faculty member in the master's program in e-Business, and Tom Sands, vice president of engineering and an alumnus of the Department of Electrical and Computer Engineering.

Proofpoint's senior leadership team includes two CMU alumni connections. Marcel DePaolis, Proofpoint co-founder and CTO, earned a bachelor's degree in electrical and computer engineering and biomedical engineering from the university, and David Knight, executive vice president and general manager of Proofpoint's Threat Systems Products Group, holds a master's degree in industrial administration and a bachelor’s degree in information systems and industrial management from CMU.

"The university was very supportive of our efforts from the beginning," Sadeh said, noting CMU made it easy to negotiate for intellectual property.